vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

server: fix set caps on container create

Browse source 
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-05-05 12:14:34 +02:00
parent 715785950c
commit 139b16bac2
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
7 changed files with 80 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
server/container_create.go
View file

@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
capabilities := linux.GetSecurityContext().GetCapabilities() capabilities := linux.GetSecurityContext().GetCapabilities()
toCAPPrefixed := func(cap string) string {
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
return "CAP_" + cap
}
return cap
}
if capabilities != nil { if capabilities != nil {
addCaps := capabilities.AddCapabilities addCaps := capabilities.AddCapabilities
if addCaps != nil { if addCaps != nil {
for _, cap := range addCaps { for _, cap := range addCaps {
if err := specgen.AddProcessCapability(cap); err != nil { if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil {
return nil, err return nil, err
} }
} }
@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
dropCaps := capabilities.DropCapabilities dropCaps := capabilities.DropCapabilities
if dropCaps != nil { if dropCaps != nil {
for _, cap := range dropCaps { for _, cap := range dropCaps {
if err := specgen.DropProcessCapability(cap); err != nil { if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
return nil, err return nil, err
} }
} }

40
test/testdata/container_config.json vendored
View file

@ -51,30 +51,22 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"capabilities": { "security_context": {
"add_capabilities": [ "capabilities": {
"setuid", "add_capabilities": [
"setgid" "setuid",
], "setgid"
"drop_capabilities": [ ],
"audit_write", "drop_capabilities": [
"audit_read" "audit_read"
] ]
}, },
"selinux_options": { "selinux_options": {
"user": "system_u", "user": "system_u",
"role": "system_r", "role": "system_r",
"type": "container_t", "type": "container_t",
"level": "s0:c4,c5" "level": "s0:c4,c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

40
test/testdata/container_config_by_imageid.json vendored
View file

@ -51,30 +51,22 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"capabilities": { "security_context": {
"add_capabilities": [ "capabilities": {
"setuid", "add_capabilities": [
"setgid" "setuid",
], "setgid"
"drop_capabilities": [ ],
"audit_write", "drop_capabilities": [
"audit_read" "audit_read"
] ]
}, },
"selinux_options": { "selinux_options": {
"user": "system_u", "user": "system_u",
"role": "system_r", "role": "system_r",
"type": "container_t", "type": "container_t",
"level": "s0:c4,c5" "level": "s0:c4,c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

42
test/testdata/container_config_logging.json vendored
View file

@ -4,7 +4,7 @@
"attempt": 1 "attempt": 1
}, },
"image": { "image": {
"image": "docker://busybox:latest" "image": "busybox:latest"
}, },
"command": [ "command": [
"/bin/sh", "-c" "/bin/sh", "-c"
@ -53,30 +53,22 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"capabilities": { "security_context": {
"add_capabilities": [ "capabilities": {
"setuid", "add_capabilities": [
"setgid" "setuid",
], "setgid"
"drop_capabilities": [ ],
"audit_write", "drop_capabilities": [
"audit_read" "audit_read"
] ]
}, },
"selinux_options": { "selinux_options": {
"user": "system_u", "user": "system_u",
"role": "system_r", "role": "system_r",
"type": "container_t", "type": "container_t",
"level": "s0:c4,c5" "level": "s0:c4,c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

40
test/testdata/container_config_seccomp.json vendored
View file

@ -53,30 +53,22 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"capabilities": { "security_context": {
"add_capabilities": [ "capabilities": {
"setuid", "add_capabilities": [
"setgid" "setuid",
], "setgid"
"drop_capabilities": [ ],
"audit_write", "drop_capabilities": [
"audit_read" "audit_read"
] ]
}, },
"selinux_options": { "selinux_options": {
"user": "system_u", "user": "system_u",
"role": "system_r", "role": "system_r",
"type": "svirt_lxc_net_t", "type": "svirt_lxc_net_t",
"level": "s0:c4-c5" "level": "s0:c4-c5"
}, }
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
} }
} }
} }

8
test/testdata/container_exit_test.json vendored
View file

@ -18,11 +18,5 @@
"log_path": "", "log_path": "",
"stdin": false, "stdin": false,
"stdin_once": false, "stdin_once": false,
"tty": false, "tty": false
"linux": {
"user": {
"uid": 0,
"gid": 0
}
}
} }

14
test/testdata/container_redis.json vendored
View file

@ -51,14 +51,12 @@
"memory_limit_in_bytes": 88000000, "memory_limit_in_bytes": 88000000,
"oom_score_adj": 30 "oom_score_adj": 30
}, },
"capabilities": { "security_context": {
"add_capabilities": [ "capabilities": {
"sys_admin" "add_capabilities": [
] "sys_admin"
}, ]
"user": { }
"uid": 0,
"gid": 0
} }
} }
} }